SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

The privacy and cybersecurity concerns of driving AVs in NZ

By Jessie Chiang
Tue 19 Jul 2022

There's a lot of debate to be had about automated vehicles. For many, the most immediate concern of driverless cars might be their physical safety, but there's a lot more at stake.

While automated vehicles (AVs) are highly advanced digital systems, like all computers, they are vulnerable to cyber attacks. Throw data privacy into the mix, and you have a lot of serious considerations that need safeguards. In May, the Ministry of Transport released the second draft of its Long-Term insights Briefing plan on automated vehicles (AVs). It looked at the impact automated vehicles could have on the transport system. There have now been two rounds of consultation, and the final version is expected to be released towards the end of this year.

So are we up to speed on this technology in New Zealand?

AVs in Aotearoa

New Zealand uses the International Standard J3016, developed by the Society of Automotive Engineers (SAE). According to the standard, there are different levels of automation, where zero means none at all and five means fully automated or driverless vehicles. The Ministry of Transport (Te Manatū Waka) says New Zealand has still yet to regulate AVs for levels three to five.

Currently, there are only vehicles with advanced driver-assistance systems (ADAS), such as automatic emergency braking roads, which is up to SAE level two. The ministry's strategic policy and innovation delivery lead Alec Morrison says the shift from level two to three is significant.

"Level three requires the driver to alternate between the role of an active driver in control of the entire driving task to monitoring the system and being ready to take back control at short notice," he says.

"It presents unique challenges regarding legal liability, in the instances of a collision incident, and safety - where the driver has the added complexity of alternating between roles. 

Morrison says in terms of higher levels of vehicle automation beyond level 3, New Zealand experiences a lag in vehicle technology.

"We import all our vehicles from overseas. The types of vehicles we might see will be impacted by these supply chains, but also driven by regulatory settings, compliance regimes and consumer demand," he says.

Hacking into an AV

The Ministry of Transport says AVs may pose new and complex data privacy and cybersecurity risks that could increase as vehicles become progressively more automated and connected to an increasing number of external networks or platforms. In addition, the reliance on digital software could increase the number of vehicles impacted by a single software failure. Morrison says the ministry has not yet undertaken detailed work on cybersecurity concerns for AVs in New Zealand, but current key considerations include:

  • The security of AV software systems

Morrison says security will become synonymous with safety. The risk to safety includes the risk that software systems could be tampered with or fail. Systems could also be hacked remotely, from any location geographically, potentially impacting an entire fleet of vehicles. 

"Hackers could either take control of the vehicle or shut down the network entirely (potentially for ransom). Vehicle hacking may become very lucrative as the number of AVs increase on the roads," says Morrison.

"There have already been claimed instances of remote vehicle hacking overseas. There will also be growing concerns around whether different generations of AVs remain secure throughout their lifetime."

There's the question of whether software systems will continue to be supported if the company goes out of business or the vehicle's hardware systems can no longer support the software updates. Moreover, while cybersecurity standards are being developed at the international level (mainly for manufacturers to adhere to), Morrison says this will remain an ongoing risk as new vehicle systems are developed and deployed. 

  • Security standards

Another factor is that different manufacturers will likely have different security standards and pose different cybersecurity risks when entering the New Zealand fleet. Morrison says New Zealand will need to agree on the standard it wants and impose it on all new and used vehicle imports.

  • Storing information

AVs will collect and store a vast amount of information. This information will be collected from sensors and cameras to support the ADS (automated driving system) undertaking the driving function. Morrison says personal information will also be collected to improve the user experience for those using AVs. Ensuring all this remains private and secure is a crucial consideration for the government. He says there is legislation around collecting and using data in New Zealand and sharing personal information.

The Privacy Act 2020 outlines a framework for protecting an individual's right to privacy of personal information. It also gives effect to internationally recognised privacy obligations and standards concerning the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights. 

"Questions remain around who owns the vehicle's data, and how can individuals be assured the data is not being used for purposes other than what it was intended for," says Morrison.

Canterbury associate professor Christoph Bartneck researches human-robot interaction, and he says although the hacking of AVs with the intent of causing bodily harm is a possibility, it shouldn't be overly emphasised.

"We've seen this in movies like The Fast and Furious series, people take over a fleet of AVs and control them and crash them. But the question really, is that something that we need to be worried about?" he asks.

"You could kill somebody like that, okay. But there are much easier ways of killing somebody. So is that really the most realistic threat that we have to deal with?"

But he says the privacy considerations are concerning, and it's not even about hacking - it's about what kind of information the car manufacturer can keep on its customers. Bartneck points to technology that is seen in AVs like Tesla. There are built-in cameras facing the driver, and when it's switched on, the idea is that it tracks the face to ensure that the person is paying attention to the road. Bartneck says even though technically the person isn't driving, the car is doing that, they still need to pay attention.

"Tesla now requires people, when they want to use the autopilot system, that they agree for Tesla to get access to all recordings in case of a crash," he says.

"We are having the first lawsuits now. So there's a lawsuit in LA, where essentially person driving a Tesla with autopilot ran a red light crashed into another car, two people died."

"The driver says 'Well, it wasn't me I didn't do it, the autopilot was in control.' If Telsa has to assume responsibility for all the traffic accidents, that's very, very dangerous and potentially also very expensive. So they now require access to all the recordings so that they can prove it wasn't them."

Bartneck says Telsa also offers car insurance, which makes the situation even more concerning.

"Let's assume the case that you've got car insurance with Tesla, they've got access to the videos. Let's say a traffic accident happens, maybe the car misbehaves and then you are totally in the hands of Tesla because how are you going to prove them wrong?" he says.

"It's a terrible, terrible mess."

The associate professor says many AV manufacturers can be cagey about sharing information regarding crashes. For example, Bartneck says he was stonewalled when he tried contacting one company in Singapore about their test results.

"We asked them well, you've got this testing setup, can we get please access to the information? What happened? How many kilometers are driven? How many crashes did you have? No access, absolutely gone. The only way that you can get it is through police reports," he says.

The next steps for Aotearoa

The ministry says exact timeframes for when we will see level three to five AVs on the roads in New Zealand are unclear.

It says AVs will require robust and tested systems to ensure that they are both resilient and secure in the face of cyber and physical threats. New Zealand will also need a clear national cybersecurity framework to reduce the points of vulnerability across the network. Morrison says Aotearoa will need to develop regulations around third-party apps and aftermarket modifications and the requisite liability if there is a system breach.

The ministry says in the future, AVs could have security ratings (like safety ratings now) for AV models with different levels of software encryption. This would assure those who want to use AVs as an office while commuting to work that their information and network connection is secure.

"New Zealand will continue to leverage off other jurisdictions and international bodies (like the UN), as well as other sectors or industries that have navigated similar issues," says Morrison.

But Bartneck says the government has been too slow off the ground with AVs and is just being reactive to the market.

"I would say New Zealand is sleeping at the wheel when it comes to AVS. They've started to respond now to a situation when they should have been on to it actually, a long time ago," he says.

Bartneck points to companies like Ohmio, which has been trialling and experimenting with AVs in New Zealand for quite some time. He says in 2017, the company wanted to move their little minibus manufacturing from China to New Zealand. Instead, they signed a $20 million deal in 2018 to leave all the manufacturing in China. The ministry says Ohmio has run trials of a level four AV shuttle service in Christchurch, but there haven't been any higher levels of automation on New Zealand roads to date.

Morrison says the transport system is currently facing immense pressure from significant issues, including:

  • Climate change (transport is responsible for 39% of Aotearoa's total domestic carbon dioxide (CO2) emissions, and 17% of gross emissions.
  • Road safety (Aotearoa has some of the worst deaths and serious injuries statistics in the OECD).
  • Ensuring an efficient and resilient supply chain in the face of broader pressures e.g., pandemics, global political unrest, driver shortages etc.

"While AVs have the potential to significantly change the transport system in the future, there are not currently any vehicles beyond those with ADAS on our roads (i.e., Level 2 automation)," says Morrison.

"For this reason, the government has been prioritising the challenges. Resourcing and attention are largely being funnelled to more immediate challenges as it is harder to gain traction on an issue where timeframes and exact risks and opportunities are unclear."

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
Cybersecurity
CISOs need to consider a risk-based cybersecurity strategy
Rather than talking in terms of attack vectors and vulnerabilities, CISOs and security decision-makers must look at actual business risk.
Story image
Cybersecurity
Claroty research unveils new attack that targets PLCs
Claroty has released research detailing a new type of cyber-attack, one that weaponises programmable logic controllers (PLCs).
Story image
Data Protection
Safeguarding your financial data
As the digital revolution marches on, managing data security has never been more important. Here are five important steps to take toward better financial data security.
Story image
Email scams
HelpSystems shines light on impact of response-based threats
Response-based attacks targeting corporate inboxes have climbed to their highest volume since 2020, representing 41% of all email-based scams.
Story image
Collaboration
Lacework launches new capabilities for better threat detection
Lacework has announced new capabilities that enable organisations to uncover more critical threats to their infrastructure and empower teams.
Story image
Microsoft
Avast reveals zero-day exploits targeting Chrome and Microsoft
Avast, released its Q2/2022 Threat Report today, revealing a significant increase in global ransomware attacks, up 24% from Q1/2022.
Story image
Cybersecurity
Education sector seeing highest volumes of cyber attacks
When breaking down the numbers to education attacks by region in July 2022, A/NZ was the most heavily attacked.
Story image
SaaS
Cloud and data protection big challenges for NZ businesses
"This surge towards a cloud-first approach meant security and safety became afterthoughts - there's no point being the fastest car on the racetrack if you crash.”
Story image
VMware
Latest VMware threat report reveals truth about deepfakes
"Cyber criminals have evolved. Their new goal is to use deepfake technology to compromise organisations and gain access to their environment."
Story image
DevOps
Dynatrace extends application security capabilities for runtime environments
Dynatrace has announced that it has extended its Application Security Module to detect and protect against vulnerabilities in runtime environments.
Story image
Surveillance
Ministry will no longer accept equipment from Chinese firm Hikvision
The Ministry of Business, Innovation and Employment (MBIE) says it will no longer accept equipment from a major Chinese surveillance camera maker.
Story image
Gartner Magic Quadrant
Gartner names Lookout a Visionary in 2022 Magic Quadrant
Gartner has recognised Lookout as a Visionary in the 2022 Magic Quadrant for Security Service Edge (SSE) and one of the top three offerings in the 2022 Gartner Critical Capabilities for SSE report.
Story image
Dark web
Beware the darkverse and its cyber-physical threats
A darkverse of criminality hidden from law enforcement could quickly evolve to fuel a new industry of metaverse-related cybercrime.
Story image
ExtraHop
Organisations exposing highly sensitive protocols to public internet
More than 60% of organisations expose remote control protocol SSH to the public internet, while 36% of organisations expose the insecure FTP protocol.
Story image
Biometrics
Can biometrics help? 123% increase in Gen Zs scammed online
In the three years leading up to 2022, the number of Gen Zs who fell victim to online scams rose by 123%, according to Ping Identity.
Story image
Cloud Security
Tenable makes additions to Cloud Security portfolio
Tenable has announced additions to Tenable Cloud Security that represent the next step in assessing threats related to cloud vulnerabilities.
Story image
Privileged Access Management / PAM
The importance of stopping identity sprawl for cybersecurity
The 2021 Data Breach Investigations Report (DBIR) shows that 61% of all breaches involve malicious actors gaining unauthorised, privileged access to data by using a compromised credential. Unfortunately, it is often too late when the misuse of a credential is detected.
Story image
Cybersecurity
Palo Alto Networks responds to rise in threats with MDR service
Unit 42 Managed Detection and Response is a new service that can offer continuous 24/7 threat detection, investigation and response.
Story image
Web application firewall
Radware recognised in KuppingerCole’s 2022 Leadership Compass report
Radware has been named a Product, Innovation, Market and Overall Leader in the 2022 KuppingerCole Leadership Compass report for Web Application Firewalls.
Story image
Compliance
Why security needs to shape your journey to the cloud
It's estimated that 80% of workloads could be in the cloud in the next few years. How can you make all that data secure?
Story image
InternetNZ
How well do rangatahi understand cyber safety in Aotearoa?
Do rangatahi in Aotearoa understand the importance of being safe online, or has lifelong exposure to the internet resulted in widespread complacency?
Story image
Dicker Data
Dicker Data brought on as Acronis partner for A/NZ
The news about the partnership comes in as cyber criminals continue to exploit gaps in traditional solutions and strategies in NZ and across the APAC region.
Story image
ROI
How to increase the success rate of business data projects
Amid changing economic conditions and uncertainties about supply chains and staff availability, it's never been more important for New Zealand organisations to be innovative.
Story image
Malware
Research shows attacks on the gaming industry are getting worse
Web application attacks in the gaming sector have grown by 167% from Q1 2021 to Q1 2022, according to new research from Akamai.
Story image
Firewall
Why printing security plays a vital part in keeping Aotearoa safe
While internet printing, mobile printing and other similar technologies have no doubt made things easier to manage, it has also brought a whole new set of problems to the table.
Story image
Government
Mandiant researchers uncover significant new disinformation campaign
Researchers from Mandiant say they have uncovered a significant disinformation campaign from the Chinese Government in the wake of U.S. Speaker Nancy Pelosi's visit to Taiwan.
Story image
Cyber attacks
Dramatic uptick in threat activity with exploits growing nearly 150%
"While it’s not a surprise given increased attack opportunities like remote work, it’s still a worrying development and one we cannot ignore."
Story image
Data analytics
Pressure on orgs to up their data analytics game - study
A recent report from Sisense highlights data transmission, analysis, and risk management remain top concerns for data professionals in APAC.
Story image
Sustainability
NZ program recovers and recycles more than 177 tonnes of e-waste
The TechCollect NZ pilot program says its milestone of recovering and recycling more than 177 tonnes of ICT e-waste recognises the efforts of many.
Story image
Gaming
Attacks on gaming companies more than double over past year
The State of the Internet report shows gaming companies and gamer accounts are at risk, following a surge in web application attacks post pandemic.
Story image
Data Protection
VMware introduces advanced workload protection for AWS
VMware Carbon Black Workload for AWS delivers comprehensive visibility and security across on-premises and cloud environments for AWS customers.
Story image
Google Cloud
Google Cloud to open first cloud region in NZ - among others
Google Cloud has announced plans to bring three new cloud regions, one each in New Zealand, Malaysia and Thailand.
Story image
Machine learning
Sysdig releases CDR offering to combat cryptojacking
Sysdig has unveiled a cloud detection and response (CDR) offering powered by machine learning to combat cryptojacking.
Story image
Servers
New Zealand cloud provider challenges Google's claims on data control for region
A Wellington cloud services provider says Google's claim it will offer New Zealanders complete control over their own data is not true.
Story image
Cybersecurity
Datacom research explores reality of zero trust in A/NZ
Zero trust is fast emerging as global best practice in cybersecurity and local leaders are on board, with 83% considering it essential to security.
Story image
Malware
Avast One extends protection with Online Safety Score
Avast One has extended its cross-platform support by adding its Online Safety Score feature to both the Mac and iOS platforms of Avast One.
Story image
Artificial Intelligence
Exclusive: NZ-based DEFEND offers global cyber protection
DEFEND supports customers in 66 countries across the globe with a relentless focus on ensuring that every dollar spent on security provides a meaningful return on investment and reduces cyber risk.
Story image
Data Protection
Zero Trust, but verify - finding the OT in ZerO Trust
The move to remote and cloud-based technologies has shifted the goalposts for cybersecurity. It now needs to cover multiple people, devices, platforms, and networks.
Story image
IDC
High level of Customer Identity & Access Management adoption
The study from Okta revealed that the pandemic has either accelerated or highlighted the need for digital-first strategies.
AWS Marketplace
Learn how security orchestration, automation, and response (SOAR) enhances your security strategy.
Link image
Story image
Indusface
Why enhancing bot protection for web and API endpoints matters
The trouble with bots is that they aren’t all bad. Unfortunately, this can make it challenging to detect malicious bots that find their way into your system and threaten your business.